Introduction
The Data Protection Commission (the “Commission”) Zambia is set to commence the enforcement of the Data Protection Act No. 3 of 2021 (the “Act”) in March 2025. This marks a crucial milestone in Zambia’s data protection landscape, ensuring compliance with legal standards, strengthening the protection of personal data, and fostering accountability among organisations handling personal information. The enforcement phase underscores the Commission’s commitment to upholding data privacy rights and enforcing penalties for non-compliance.
Key Enforcement Areas
From March 2025, the Commission will begin active enforcement in the following key areas:
1. Registration of Data Controllers and Processors
Under section 20 of the Act, all organisations that collect and process personal data must register with the Commission. The Commission will verify compliance before issuing registration certificates. Entities that fail to register will be subject to administrative penalties.
Implications of Non-Compliance
Entities that do not comply with the Act may face:
a. fines and penalties.
b. Suspension or revocation of licenses and registrations.
c. Legal action, including prosecution for serious violations.
d. Reputational damage, affecting public trust and business continuity.
Call to Action
The Commission urges all data controllers, processors, and auditors to review their data protection policies and practices to ensure compliance before the enforcement phase begins. Organisations are encouraged to:
a. Complete their registration and licensing requirements with the Commission.
b. Implement robust security measures to protect personal data.
c. Establish internal data protection policies that align with the Act.
d. Educate employees in collaboration with the Commission on data protection best practices.
Issued by: Mr. Likando Lyuwa
Data Protection Commission Zambia
18th February 2025